Chrome Encrypts Gmail
The HTTPS-only access to Gmail isn't the only security move Google is making
Google, which has found Gmail to be a target of hacking attempts from China, has modified Chrome so the browser always encrypts connections with the e-mail service. Google already changed Gmail to use encryption by default, a mode indicated by the "https" at the beginning of a browser address bar that means outsiders sniffing network traffic can't read your e-mail. People could still get to the unencrypted version by typing "http://gmail.com," but no more, for Chrome.
Chrome Encrypts Gmail
"As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types 'gmail.com' or 'mail.google.com' into the URL bar without an https:// prefix," Google programmers said on a blog post yesterday. They said that approach defends against sslstrip-type attacks, which can be used to hijack browsing sessions. The technology used to enforce the encryption is called HSTS, which stands for HTTP Strict Transport Security and which lets a browser specify that a Web site may only be used over a secure HTTP connection. HTTP, or Hypertext Transfer Protocol, is the standard that governs how Web browsers communicate with Web servers to retrieve a Web page.
The moves dovetail with Google's attempt to make security a prominent selling point of its browser. By improving Chrome's security, the company stands to benefit directly by making its own services less vulnerable and indirectly by making the Web a safer place for people to spend personal and professional time. Google is a prominent target. It has disclosed attacks on Gmail it said appeared to come from China--some in 2009, and more this year. To try to make attacks harder, it's added two-factor authentication to Gmail, which requires a code from a person's mobile phone as well the ordinary password.
Most people don't appreciate the measures Google is taking to secure Chrome and its browser-based operating system, Chrome OS, argues Sundar Pichai, Chrome's senior vice president, in an interview at Google I/O, pointing to measures such as running plug-ins such as Flash and a PDF reader in a sandbox, using a verified boot process with Chrome OS, and making Chrome OS's file system encrypted.
Chrome also is the vehicle for other Google ambitions, for example to speed up the Web. Among aspects of that effort are an HTTP improvement called SPDY; a new ability to preload selected search results pages so they display much faster when a person actually clicks on the links; technology called Native Client designed to run Web-app software much faster; and the WebP image format that Google argues is faster than JPEG.
The HTTPS-only access to Gmail isn't the only security move Google is making.
Google also is trying to ensure that no users of Chrome and Gmail will be vulnerable to a problem that reared its head in March when an affiliate of a New Jersey company called Comodo was hacked, apparently by an Iranian. Comodo and its affiliate issue digital certificates that browsers use to establish encrypted connections to Web sites, but the attack produced fake encryption certificates for Yahoo, Skype, Google, and Mozilla. The Comodo issue is leading browser makers to rethink certificate technology.
Now, for some sites including Gmail, Chrome only can obtain certificates originating only from a short list of providers, not from the hundreds available on the global Internet. That list includes Verisign, Google Internet Authority, Equifax, and GeoTrust, according to a blog post by Adam Langley, a Google programmer. He adds that the list is visible in Chrome's source code.